Date: Tue, 13 Oct 2009 16:34:10 +0100 From: "Jasvinder S. Bahra" <bbdl21548@blueyonder.co.uk> To: <freebsd-questions@freebsd.org> Subject: Re: freebsd jail: web and database server config questions Message-ID: <9A3A5718E988446A83A59583AB2D2CDA@atlantis> References: <815964.80537.qm@web51104.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm no expert but i'll give this a go. > Is it advisable/wise/okay/clever to run a webserver on my host > system and a database server on my jailed system? The webserver > will need to connect to the database system on startup and > update the database based on client access. A key concept in securing a system is defence in depth. Personally, I would setup two jails on the system and run the database in one jail and the webserver in the other. That way, if one of the two became compromised, the intruder would still have to do some work to get system root access. > However, if a machine gets compromised, it would rather be the > webserver, therefore running the webserver in the jailed > environment seems better to me. But how could that be done, if > the webserver requires to connect through tcp/ip to the > database server running on the host system? I thought that a > key-feature of a jailed system is that it can't access > resources outside the jail. Your correct that a jail is almost entirely self-contained, but no more so than a standalone system - and a standalone system can still communicate with other systems using network communications. In (exactly) the same way, a process in one jail can still communicate with a process in another jail. For example, say you were using MySQL and Apache Webserver. If the two processes were running on two different systems, they can communicate with each other via a network connection on port 3306. As a jailed system is a virtual-standalone system, each of them would have a virtual-network card, and so two seperate IP addresses. Thus, the two processes could communicate with each other in exactly the same way as the two actually-standalone systems. > And how do I go around when I need to update my host system due > to a security advisory. I heard the jailed environment will not > be affected? So basically that means I would need to create a > new jail everytime I recompile (as that's the way I'm using to > stay current) Your correct, recompiling the host system does not affect the jailed systems. However there are ways around that. I use a tool called ezjail. It allows you to update a jail with a single command. See http://erdgeist.org/arts/software/ezjail/ and the handbook for more details. Jazz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9A3A5718E988446A83A59583AB2D2CDA>